FiorLab is CBI outsourcing compliance software purpose-built for Irish regulated entities — funds, banks, insurers, payment firms, and fintech under Central Bank of Ireland supervision. CBI Cross-Industry Outsourcing Guidance, DORA Article 28 overlap, outsourcing register, materiality and criticality assessment, and supervisory review readiness. Built in Dublin by Irish-registered FiorLab Limited (CRO 813471).
Ireland is the European home of investment funds, cross-border insurance, payment institutions, and a fast-growing fintech sector. Every one of those firms answers to the Central Bank of Ireland (CBI). And the CBI has been clear about the direction of travel: its 2026 supervisory priorities call third-party, operational, and cyber risk a "very high threat" for the regulated sector. On-site reviews, information requests, and themed inspections are running through 2026 in DORA terminology, and the CBI has indicated it will refresh the Cross-Industry Outsourcing Guidance in H2 2026 to align with DORA.
Most off-the-shelf supplier risk and GRC tools are not built for this regulator. They map first to NIST, COSO, US frameworks, or the EBA generic baseline. They reach the CBI's specific language — "materiality" and "criticality" thresholds, the outsourcing register at entity-and-group level, the management-body sign-off, the three-lines-of-defence chain — through professional services rather than out-of-the-box. For Irish-domiciled funds, insurers, and fintech that means weeks-to-months of customisation before the platform produces an output a CBI inspector would accept.
FiorLab solves that. We are Irish-registered (CRO 813471), Dublin-headquartered, and built the CBI assessment type into the platform from day one. Every feature on this page is in production today.
The CBI's Cross-Industry Outsourcing Guidance was published in December 2021 and applies to all CBI-regulated firms. It is principles-based and risk-based, deliberately broader than the EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) and broader than DORA Article 28 (which addresses ICT third-party arrangements specifically). Five core obligation areas show up at every supervisory review.
Every regulated firm must maintain an outsourcing register at entity, sub-consolidated, and consolidated levels. Each entry must distinguish critical-or-important functions from non-critical, document the service description, identify sub-contractors, record locations of performance and data processing, and link to the signed contract. The register must be available to the CBI on request. For ICT-in-scope arrangements, the register must follow the ESAs ITS template under DORA Article 28(3).
Per outsourcing arrangement, the firm must assess whether the function is material or critical to its operations. The CBI expects a documented methodology with criteria, scoring, and approver — not "everyone knows the core-banking provider is critical". The materiality decision drives the contractual provisions, the management-body involvement, and the supervisory expectations on ongoing oversight.
Before contracting, the firm must conduct a risk assessment covering operational, financial, legal, reputational, and concentration risk. The assessment must consider whether the arrangement could impede the CBI's supervisory access and must surface concentration concerns where the firm has multiple arrangements with the same provider or with closely connected providers (CBI Section 6; aligns with DORA Article 29).
The firm must monitor the arrangement throughout its life — KPI and SLA performance, sub-outsourcing changes, financial health of the provider, regulatory and security events. For critical-or-important functions, the CBI expects structured monitoring with documented escalation paths, not "we read the provider's quarterly report".
For material outsourcing, the firm must have a documented exit strategy covering provider failure, deterioration, business disruption, and failed provision (aligns with DORA Article 28(8)). The strategy must include named alternative providers or in-house reintegration plan, a transition period during which the provider continues services, and a recent test of the plan (tabletop or live). "We've thought about it" does not satisfy the CBI.
The Central Bank of Ireland's 2026 supervisory priorities elevate third-party, operational, and cyber risk to "very high threat" for the regulated sector. Five concrete supervisory behaviours to expect.
CBI inspectors are asking for the outsourcing register in the ESAs ITS XBRL taxonomy for ICT arrangements. A spreadsheet that nobody reconciles against the actual contracts is the most common gap.
"Walk us through how you decided this provider supports a critical or important function" is now a standard supervisory question. Firms relying on implicit criticality get findings; firms with a documented scoring methodology and named approver do not.
Tier-2 cloud and managed-services dependencies are the focus area. The map must extend beyond the Tier-1 provider with consent records where the contract requires consent.
Concentration-risk reporting to the management body at entity and group level — by provider, by sub-processor, by jurisdiction. "Not easily substitutable" providers must be identified and managed.
"When did you last test the exit plan?" The expected answer is a dated tabletop or live test report with findings and remediation status acknowledged by the management body. "Never tested" is a finding.
For Irish regulated entities with ICT third-party arrangements, both frameworks apply simultaneously. DORA Article 28 is the binding EU regulation; the CBI Guidance is the Irish national overlay with the CBI as the National Competent Authority. The CBI Guidance covers non-ICT outsourcing that DORA does not address (e.g. fund administration, transfer agency, intra-group outsourcing of non-ICT services). DORA covers ICT third-party arrangements at uniform EU level.
The practical implication for CBI outsourcing compliance software: the platform must support both the CBI assessment type (broader scope, principles-based) and the DORA Article 28 assessment type (ICT-specific, binding, with the ESAs ITS register template). FiorLab supports both natively.
Across the rest of the EU, the equivalent national variants apply: BaFin/MaRisk and BAIT in Germany, DNB's outsourcing circular in the Netherlands, ACPR's outsourcing notice in France, CSSF Circular 22/806 in Luxembourg. The EBA non-ICT TPRM final (EBA/CP/2025/12) is the imminent EU baseline; once published it becomes the "critical-on-publish" trigger for the EU_OUTSOURCING assessment template.
Three structural failure modes when an Irish CBI-regulated entity tries to use a US-centric supplier risk or GRC platform.
US-centric tools map first to NIST, COSO, SOC 2, and US frameworks. CBI Guidance, EBA outsourcing, and DORA require EU-specific assessment templates, language, and reporting fields. The mapping is delivered through professional services rather than out-of-the-box, which means weeks-to-months of customisation before the platform produces output a CBI inspector would accept.
US-headquartered tools remain subject to FISA Section 702 and the CLOUD Act regardless of where customer data is hosted. The Schrems II ruling (CJEU, July 2020) confirmed that EU adequacy frameworks cannot remediate this corporate-jurisdiction exposure. After the EU Tech Sovereignty Package adopted 3 June 2026, EU corporate jurisdiction is a formal procurement-scoring criterion at regulated buyers under DORA, NIS2, EBA, and CBI outsourcing frameworks.
Irish-domiciled funds, insurers, and fintech run multi-jurisdictional supplier portfolios — Irish CRO, UK Companies House, German Handelsregister, EU-wide VIES and GLEIF, plus the IAF CertSearch global accredited-body database. Most US-centric tools rely on paid premium data partners (Dun & Bradstreet, Bureau van Dijk) rather than live EU public registry calls. The buyer pays for what should be a free signal and gets it stale by weeks rather than fresh by seconds.
The CBI assessment type in FiorLab is a first-class workflow, not a renamed generic questionnaire. Five steps from start to audit-ready output.
Add the supplier via CSV import or manual entry. FiorLab calls CRO Ireland (for Irish-registered suppliers), UK Companies House, German Handelsregister, VIES, and GLEIF live. The registry status, registered name, and entity identifier are written to the supplier record with a timestamp. ISO certifications declared by the supplier are auto-verified against the accredited certification body via IAF CertSearch.
Select the CBI assessment type. The platform presents the CBI-specific question bank — materiality and criticality criteria with a defensible scoring methodology, sub-outsourcing assessment with chain-of-consent capture, concentration risk inputs (multiple arrangements with the same provider, jurisdictional concentration), management-body sign-off prompt for critical-or-important functions, and the three-lines-of-defence sign-off chain.
FiorLab scores the supplier across financial stability, regulatory compliance, ESG/sustainability, delivery performance, quality management, and innovation. Each dimension carries a verification multiplier (registry_verified 1.0x through self_declared 0.65x) and a document staleness decay (fresh through expired). The resulting score is deterministic, rules-based, and traceable to the underlying evidence.
One click produces an audit-ready PDF report. Every score traces to a registry record, certification body lookup, or OCR-verified document with timestamps. The report includes the CBI-specific sections (materiality assessment, criticality decision, concentration view, exit strategy reference, three-lines-of-defence sign-off log) plus the standard score evidence chain. Suitable for the supervisory file.
Once the supplier is onboarded, FiorLab continues to monitor: weekly cert re-verification via the IAF CertSearch cron, daily registry status checks on a 30-day cadence, document staleness decay applied automatically, anomaly detection across six anomaly types, and a full immutable audit trail of every change. When the CBI asks for the latest position at a moment's notice, the answer is one query away.
Comparison rows are based on publicly available product documentation, official websites, and analyst coverage as of 29 June 2026. To request a correction, email hello@fiorlab.com.
| FiorLab | Aprovall | Vendorica | OneTrust | |
|---|---|---|---|---|
| HQ jurisdiction | Ireland (Dublin, CRO 813471) | France (EU) | USA | USA |
| Data residency | EU (Frankfurt) | EU | US default; EU on Enterprise | US default; EU on Enterprise |
| CBI assessment type native | Yes — first-class | Generic EU mapping | Via professional services | Via professional services |
| CRO Ireland registry verification | Live integration | Not advertised | Paid premium data only | Paid premium data only |
| DORA Article 28 + CBI overlap | Both natively | DORA only | DORA only | DORA only (modular) |
| Outsourcing register in ESAs ITS template | Export-ready | Available | Via PS | Via PS |
| Published pricing | Free + from €329/mo | Contact sales | Contact sales | Contact sales |
| Time to first audit-ready output | ~5 minutes | Days | Days–weeks | Weeks |
| Best fit for Irish-regulated entity | Funds, insurers, fintech, payment firms | Procurement-led mid-market | Global mid-market with US footprint | Enterprise multi-region GRC |
CBI outsourcing compliance software is a system used by Central Bank of Ireland regulated entities — banks, insurers, investment funds, payment firms, e-money institutions, and fintech — to demonstrate compliance with the CBI Cross-Industry Outsourcing Guidance (December 2021) and the related DORA Article 28 obligations for ICT third-party arrangements. The minimum bar is a maintained outsourcing register, criticality and materiality assessment per arrangement, ongoing risk monitoring, exit strategies for critical or important functions, and an auditor-defensible evidence chain for supervisory reviews.
The CBI Cross-Industry Outsourcing Guidance (December 2021) sets the Irish supervisory expectations on outsourcing arrangements for all CBI-regulated entities. Core requirements: a documented outsourcing register at entity, sub-consolidated, and consolidated levels; a materiality and criticality assessment per outsourcing arrangement; pre-outsourcing risk assessment; ongoing oversight with KPI and SLA monitoring; documented exit strategies for material outsourcing; sub-outsourcing assessment and approval; concentration risk assessment; and management-body sign-off for critical or important functions. The CBI has indicated it will refresh the guidance in H2 2026 to align with DORA.
Yes. The Central Bank of Ireland's 2026 supervisory priorities explicitly call third-party, operational, and cyber risk a "very high threat" for the regulated sector. Outsourcing arrangements and ICT third-party providers are the supervisory focus across the regulated population, with on-site reviews and information requests running through 2026 in DORA terminology.
DORA Article 28 sets binding requirements for ICT third-party arrangements at EU level — uniform across all 27 member states. The CBI Cross-Industry Outsourcing Guidance sits alongside DORA at national level and applies to all outsourcing arrangements (not just ICT). For ICT-in-scope arrangements at Irish regulated entities, both regimes apply: DORA Article 28 is the binding EU regulation; the CBI Guidance is the Irish national overlay with the CBI as the National Competent Authority. Many obligations align (register, criticality, contractual provisions, exit, concentration); the CBI Guidance covers non-ICT outsourcing that DORA does not address.
Every CBI-regulated entity must maintain an outsourcing register listing every outsourcing arrangement, distinguishing critical-or-important functions from non-critical ones. For ICT arrangements, the register must follow the ESAs ITS template under DORA Article 28(3). The register must be available on supervisory request and is the primary supervisory artefact at CBI on-site reviews. In CBI outsourcing compliance software the register is not a quarterly export — it is the single source of truth that the operational team uses daily, with an immutable audit trail of every change.
Three reasons. First, US-centric tools typically map first to NIST, COSO, and US GRC frameworks; CBI Guidance, EBA outsourcing, and DORA require EU-specific assessment templates and language that US tools deliver via professional services rather than out-of-the-box. Second, US-headquartered tools remain subject to FISA Section 702 and the CLOUD Act regardless of where customer data is hosted — a procurement-scoring concern under the EU Tech Sovereignty Package adopted 3 June 2026. Third, Irish funds, insurers, and fintech run multi-jurisdictional supplier portfolios that need live verification against Irish CRO, UK Companies House, German Handelsregister, VIES, GLEIF, and IAF CertSearch — most US-centric tools rely on paid premium data partners (D&B, Bureau van Dijk) rather than live EU public registry calls.
We're Irish, we're in Dublin, and we built FiorLab for the regulator we sit closest to. FiorLab Limited (CRO 813471) is self-verified via our own CRO Ireland API integration. The CBI's 2026 supervisory priorities tell every regulated firm what's coming. The platforms purpose-built for that wave are the ones that don't make a CBI inspector translate the output before they can read it. If you would like to talk through how the CBI assessment type maps onto your firm's operating model — funds, insurers, payment firms, or fintech — reach us at hello@fiorlab.com.
— Word from our founder
Final free pilot cohort closes 30 June 2026 · paid-only from 1 July. Up to 5 suppliers, native CBI assessment type, audit-ready PDF from day one. Dublin-built, EU-hosted, customer-owns-data.
Start Your Free Pilot